Promoting Application Security within Federal Government. AppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org

Similar documents
Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Get Confidence in Mission Security with IV&V Information Assurance

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Looking at the SANS 20 Critical Security Controls

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

CTR System Report FISMA

IT Security Management Risk Analysis and Controls

Security Controls Assessment for Federal Information Systems

Security Compliance In a Post-ACA World

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

Security and Privacy Controls for Federal Information Systems and Organizations

Requirements For Computer Security

COORDINATION DRAFT. FISCAM to NIST Special Publication Revision 4. Title / Description (Critical Element)

System Security Certification and Accreditation (C&A) Framework

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

HHS Information System Security Controls Catalog V 1.0

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

CONTINUOUS MONITORING

Altius IT Policy Collection Compliance and Standards Matrix

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

elearning for Secure Application Development

Complying with National Institute of Standards and Technology (NIST) Special Publication (SP) An Assessment of Cyber-Ark's Solutions

Security Control Standard

Security Self-Assessment Tool

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

05.0 Application Development

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT

Government of Canada Managed Security Services (GCMSS) Appendix D: Security Control Catalogue ITSG-33 - Annex 3 DRAFT 3.1

Adobe Systems Incorporated

FISMA: Securing National Infrastructure

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

VIRGINIA DEPARTMENT OF MOTOR VEHICLES IT SECURITY POLICY. Version 2.

DIVISION OF INFORMATION SECURITY (DIS)

Cloud Security for Federal Agencies

Columbia University Web Security Standards and Practices. Objective and Scope

2012 FISMA Executive Summary Report

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Compliance Overview: FISMA / NIST SP800 53

What is Web Security? Motivation

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

<Insert Picture Here> How to protect sensitive data, challenges & risks

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Security Control Standards Catalog

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

Where every interaction matters.

Security Control Standard

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Enterprise Application Security Program

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

FISMA / NIST REVISION 3 COMPLIANCE

INFORMATION TECHNOLOGY SECURITY POLICY Table of Contents

White Paper. Understanding NIST FISMA Requirements

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Magento Security and Vulnerabilities. Roman Stepanov

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

(WAPT) Web Application Penetration Testing

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Web application security

Secure Code Development

Office of Inspector General

Attack Vector Detail Report Atlassian

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Sitefinity Security and Best Practices

FITSP-Auditor Candidate Exam Guide

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Spillage and Cloud Computing

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Security Control Standard

Federal Desktop Core Configuration (FDCC)

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Passing PCI Compliance How to Address the Application Security Mandates

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Deriving Software Security Measures from Information Security Standards of Practice

External Supplier Control Requirements

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Columbia University Web Application Security Standards and Practices. Objective and Scope

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

The Top Web Application Attacks: Are you vulnerable?

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Transcription:

Promoting Application Security within Federal Government AppSec DC November 13, 2009 Dr. Sarbari Gupta, CISSP, CISA Founder/President Electrosoft sarbari@electrosoft-inc.com 703-437-9451 ext 12 The Foundation http://www.owasp.org

Application Security is NOT A JOKE! Courtesy of http://www.securitywizardry.com 2

Problem Statement Federal government takes information system security and assurance very seriously Focus areas for Federal security efforts include: Platform Security Network Security Perimeter Security Personnel Security Physical Security Acquisition Security, and so on HOWEVER, APPLICATION SECURITY HAS RECEIVED MEAGER ATTENTION!! 3

Agenda Application Security Best Practices Federal IT Security Landscape Mapping AppSec Best Practices to FISMA Observations Wrap-Up 4

Application Security Best Practices Application Security Training for Developers/Managers Documented Secure Coding Standards Formalized SDLC Processes Application Threat Modeling Documented Security Design/Architecture Automated Security Testing Manual Code Review Vulnerability and Penetration Analyses Continuous Monitoring for New Vulnerabilities Top Ten Vulnerabilities SANS Top 25 Coding Vulnerabilities NVD, Other lists 5

Agenda Application Security Best Practices Federal IT Security Landscape Mapping AppSec Best Practices to FISMA Observations Wrap-Up 6

Information Security Federal Landscape Federal Practices in Information Security is driven by REGULATORY COMPLIANCE Compliance with What? Title III of E-Government Act of 2002 Federal Information Security Management Act (FISMA) Privacy Act of 1974 OMB Circular A-130, Appendix III Homeland Security Presidential Directives HSPD-7, HSPD-12, etc. OMB Memos FISMA Reporting Privacy Data Encryption FDCC, etc. 7

FISMA Documentation NIST Standards and Guidelines FIPS 199 Standards for Security Categorization of Federal Information and Information Systems SP 800-37 Rev 1 DRAFT Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach SP 800-53 Rev 3 Recommended Security Controls for Federal Information Systems and Organizations SP 800-53A - Guide for Assessing the Security Controls in Federal Information Systems 8

NIST Special Pub 800-53 Revision 3 ID FAMILY CLASS AC Access Control Technical AT Awareness and Training Operational AU Audit and Accountability Technical CA Security Assessment and Authorization Management CM Configuration Management Operational CP Contingency Planning Operational IA Identification and Authentication Technical IR Incident Response Operational MA Maintenance Operational MP Media Protection Operational PE Physical and Environmental Protection Operational PL Planning Management PS Personnel Security Operational RA Risk Assessment Management SA System and Services Acquisition Management SC System and Communications Protection Technical SI System and Information Integrity Operational PM Program Management Management Title: Recommended Security Controls for Federal Information Systems and Organizations Published: August 2009 Approach: Risk Management Framework Categorize Information System Select Security Controls Implement Security Controls Assess Security Controls Authorize Information System Monitor Security Controls 18 families of Security Controls 9

Agenda Application Security Best Practices Federal IT Security Landscape Mapping AppSec Best Practices to FISMA Observations Wrap-Up 10

AppSec Best Practices Map to FISMA Controls Application Security Best Practices Application Security Training for Developers/Managers Documented Secure Coding Standards Formalized SDLC Processes Application Threat Modeling Documented Security Architecture Automated Testing Source Code Review Vulnerability and Penetration Analyses NIST 800-53 Rev3 Controls AT-3: Security Training SA-8: Security Engineering Principles SI-3: Malicious Code Protection SA-3: Life Cycle Support SA-8: Security Engineering Principles SA-13: Trustworthiness RA-3: Risk Assessment SA-5: Information System Documentation SA-11: Developer Security Testing CA-2: Security Assessments RA-5: Vulnerability Scanning SA-5: Information System Documentation CA-2: Security Assessments RA-5: Vulnerability Scanning Continuous Monitoring CA-7: Continuous Monitoring 11

Top Ten Vulnerabilities (2007) Map to FISMA Controls Top Ten Vulnerabilities A1 - Cross Site Scripting (XSS) A2 - Injection Flaws A3 - Malicious File Execution A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) A6 - Information Leakage & Improper Error Handling A7 - Broken Authentication and Session Mgmt A8 - Insecure Cryptographic Storage A9 - Insecure Communications A10 - Failure to Restrict URL Access NIST 800-53 Rev3 Controls SI-10: Information Input Validation SI-10: Information Input Validation Not specified AC-3: Access Enforcement Not specified SI-11: Error Handling SC-23: Session Authenticity SC-13: Use of Cryptography SC-9: Transmission Confidentiality AC-3: Access Enforcement 12

SANS Top 25 (1 of 3) - Insecure Interaction Between Components Map to FISMA Controls Top 25 Coding Vulnerabilities CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output CWE-89: SQL Injection CWE-79: Cross-site Scripting CWE-78: OS Command Injection CWE-319: Clear-text Transmission of Sensitive Information CWE-352: Cross-Site Request Forgery (CSRF) CWE-362: Race Condition CWE-209: Error Message Information Leak NIST 800-53 Rev3 Controls SI-10: Information Input Validation Not specified SI-10: Information Input Validation SI-10: Information Input Validation SI-10: Information Input Validation SC-9: Transmission Confidentiality Not specified Not specified SI-11: Error Handling 13

SANS Top 25 (2 of 3) Porous Defenses Map to FISMA Controls Top 25 Coding Vulnerabilities CWE-285: Improper Access Control (Authorization) CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-259: Hard-Coded Password CWE-732: Insecure Permission Assignment for Critical Resource CWE-330: Use of Insufficiently Random Values CWE-250: Execution with Unnecessary Privileges CWE-602: Client-Side Enforcement of Server- Side Security NIST 800-53 Rev3 Controls AC-3: Access Enforcement SC-13: Use of Cryptography IA-5: Authenticator Management AC-3: Access Enforcement Not specified AC-6: Least Privilege Not specified 14

SANS Top 25 (3 of 3) - Risky Resource Management Map to FISMA Controls Top 25 Coding Vulnerabilities NIST 800-53 Rev3 Controls CWE-119: Memory Buffer Overrun SA-8: Security Engineering Principles 1 CWE-642: External Control of Critical State Data SA-8: Security Engineering Principles 1 CWE-73: External Control of File Name or Path SA-8: Security Engineering Principles 1 CWE-426: Un-trusted Search Path SA-8: Security Engineering Principles 1 CWE-94: Code Injection SA-8: Security Engineering Principles 1 CWE-494: Download of Code Without Integrity Check SI-7: Software and Information Integrity CWE-404: Improper Resource Shutdown or Release SA-8: Security Engineering Principles 1 CWE-665: Improper Initialization SA-8: Security Engineering Principles 1 CWE-682: Incorrect Calculation SA-8: Security Engineering Principles 1 1 Weak Mapping 15

Application Security Verification Std 2009 Map to FISMA Controls ASVS Security Requirement Areas NIST 800-53 Rev 3 Controls Cover age V1 - Security Architecture Documentation RA-3 1 of 6 V2 - Authentication Verification AC-2, AC-3, AC-5, AC-7, AC-11, AC-14, AU-2, IA-2, IA- 5, IA-6, IA-8, SC-24, SI-3 12 of 15 V3 - Session Management Verification AC-11, SC-10, SC-23, SI-3 9 of 13 V4 - Access Control Verification AC-2, AC-3, AC-6, SI-3, AU-2 10 of 15 V5 - Input Validation Verification SA-8, SI-3, SI-10, AU-2 7 of 9 V6 - Output Encoding/Escaping Verification SI-3, SI-10 5 of 10 V7 - Cryptography Verification IA-5, SC-12, SC-13, SI-3, AU-2 6 of 10 V8 - Error Handling and Logging Verification SI-3, SI-11, AU-3, AU-9 7 of 12 V9 - Data Protection Verification 0 of 6 V10 - Communication Security Verification AC-4, AC-6, IA-3, IA-5, SC-8, SC-9, SC-24, AU-2 7 of 9 V11 - HTTP Security Verification SC-23 1 of 7 V12 - Security Configuration Verification CM-5, SI-6, SI-7, AU-2 3 of 4 V13 - Malicious Code Search Verification SI-3, SI-7 2 of 2 V14 - Internal Security Verification SC-4, SC-28 2 of 3 16

Agenda Application Security Best Practices Federal IT Security Landscape Mapping AppSec Best Practices to FISMA Observations Wrap-Up 17

Observations NIST SP 800-53 Rev 2 had little or no support for Application Security practices HOWEVER, NIST SP 800-53 Rev 3 has built a solid level of support for Application Security Application Security requirements are sprinkled Difficult to assemble to form complete picture SP 800-53 Rev 3 could be further refined for AppSec Specific recommendations for change to existing controls Specific recommendations for new requirements 18

SP 800-53 Rev 1 Recommended Refinements (I) AT-3: Security Training Require training for software developers/integrators CA-2: Security Assessment Require Red Team exercises targeted at Software Applications CA-7: Continuous Monitoring Require Red Team exercises at HIGH baseline CM-4: Security Impact Analysis Explicitly require security impact analysis for software changes 19

SP 800-53 Rev 1 Recommended Refinements (II) IA-5: Authenticator Management Require check for unencrypted authenticators in code/scripts at MODERATE and HIGH PL-2: System Security Plan Require Enhancements (CONOPS, Architecture) at HIGH SC-23: Session Authenticity Require enhancements for session ID management at MODERATE/HIGH SI-3: Malicious Code Protection Promote guidance on secure coding and monitoring practices to control description section 20

SP 800-53 Rev 1 Recommended Refinements (III) SA-5: Information System Documentation Reword to apply to custom developed software systems; currently slanted for vendor/manufacturer developed systems Move enhancement related to code reviews to CA-3 or RA-5 SA-8: Security Engineering Principles Move guidance on security training for developers/integrators to AT-3 SA-11: Developer Security Testing Require enhancements for independent code analysis and vulnerability analysis at HIGH 21

Sp 800-53 Rev 3 Extensions/Additions Sensitive Resource Identification (Data, URLs, Config Files, etc.) SC-28: Protection of Information at Rest Expand scope to require explicit identification of sensitive information Conditioning of Output Content/Data SI-12: Information Output Handling and Retention Expand scope to include checking outputs for valid syntax/semantics Server-Side Implementation of Security Services Add new control requiring Common, Non-circumventable Implementation of server-side security checks 22

Agenda Application Security Best Practices Federal IT Security Landscape Mapping AppSec Best Practices to FISMA Observations Wrap-Up 23

Wrap-Up and Final Thoughts Time to focus on Application/Software Security NIST SP 800-53 Rev3 provides excellent boost to AppSec within FISMA Refinements/Extensions could further strengthen AppSec practice under FISMA Updates to SP 800-53A could strengthen AppSec Testing OMB mandate could provide added impetus to AppSec Let s not wait for a catastrophic AppSec breach A memo in time could save nine! QUESTIONS?? 24

Application Security Federal References DISA Application Security and Development STIG July 2008 Application Security and Development Checklist Version 2 Release 1.5 - June 2009 NIST SP 800-53 Rev 3 Recommended Security Controls for Federal Information Systems and Organizations SP 800-64 Rev 2 Security Considerations in the System Development Life Cycle Oct 2008 SP 800-115 (draft) - Technical Guide to Information Security Testing Nov 2007 Security Content Automation Protocol (SCAP) 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information